The New Extortion Racket

The New Extortion Racket

Ransomware is malware that encrypts all the files on your hard drive or web site, then demands payment - usually by Bitcoin - to gain access again. Accessblocking viruses have been around at least a decade, but encrypting ransomware exploded in 2014, which security expert Brian Krebs called "the year extortion went mainstream." The trend continued into 2015 - it's even showing up on mobile devices now - and shows no sign of slowing down. The problem is so widespread, and law enforcement authorities so powerless, that an FBI official recently advised business owners, "The easiest thing may be to just pay the ransom."

If you are targeted in a ransomware attack, that's a decision you'll have to make. (A UK survey in 2014 found that 40 percent of victims had paid.) We're going to focus on mitigating the damage and avoiding that scenario all together.

"As they say, an ounce of prevention is worth a pound of cure, and this is particularly true with modern ransomware," according to the Fortinet blog. "The 'cure', in this case is often not as simple as just formatting a hard drive, restoring a backup, and/or losing some work. CryptoWall Version 3, for example, can also encrypt files on accessible network drives, making what used to be an isolated problem on an individual computer a much larger issue for an organization.

"Prevention then comes down to three things: Appropriate, layered security that can identify and block ransomware at the endpoint, as it attempts to contact command and control servers, via email gateways, and with content filtering that can block compromised sites distributing the malware; user education, designed to make rampant social engineering less effective; regular backups that serve as a last resort in case of infection."

Let's unpack that. Some of the criminal organizations deploying ransomware are sophisticated enough to code new versions that can sneak past anti-virus software. But most are using off-the shelf versions that an up-to-date, layered security system will recognize and halt. So a well maintained perimeter remains your first, best defense.

But of course no network security can prevent human error, and that's how many forms of ransomware are spread. "Social engineering" in this context refers to tricking people into clicking on links or downloading attachments that open a door for malware to rush through. Emails that look like real shipping or delivery notices are a common ploy, and are especially effective around the holidays. Malware can also be delivered through pop-up ads on web sites. Every company should set and enforce policies about appropriate computer use, and should make sure that everyone is familiar with phishing scams.

Prevention is going to become even more important in the near future, according to the Cyber Threat Alliance, a coalition of top security vendors. The CTA recently reported on CryptoWall 3 and, according to the Fortinet blog, concluded that CW3 "is just the beginning."

According to Derek Manky, Global Security Strategist for Fortinet, we can expect even more in the way of ransomware in the months and years to come: "Bootkits are going to take ransomware to the next level, attacking the whole operating system and becoming more aggressive in the ransoms they are requesting as attackers examine the business value of the intellectual property they have encrypted." Bootkits, by the way, are persistent bits of malware that can't be addressed by simply restoring a backup or wiping a hard drive.

For more information about protecting your network from ransomware and other forms of malware, contact us.